Continuous backup of data in a distributed data store

ABSTRACT

A distributed data store may provide continuous backup for data stored in the distributed data store. Updates to data may be replicated amongst storage nodes according to a peer-to-peer replication scheme. A backup node may participate in the peer-to-peer replication scheme to identify additional updates to be applied to a backup version of the data in a separate data store. The backup node may obtain the updates according to the peer-to-peer replication scheme and update the backup version of the data. In some embodiments, configuration changes to the data in the distributed data store may be detected via the peer-to-peer replication scheme such that a backup node can adapt performance of backup operations in conformity with the configuration change.

This application is a continuation of U.S. patent application Ser. No.14/977,453, filed Dec. 21, 2015, which are hereby incorporated inreference herein in its entirety.

BACKGROUND

Data storage systems have implemented many different storage schemes forefficiently and reliability persisting data. Storage schemes implementedon a distributed system architecture are often deployed when storagesystem client applications, such as database systems, require greateravailability of the data persisted in the data storage system. Commonsolutions to making data available including storing one or moreversions or replicas of data on multiple storage nodes. However, byincreasing the number of versions or replicas, the complexity andoperational costs for generating consistent backups of persisted dataincreases. For example, synchronization protocols may complicategenerating and maintaining backup versions of data for storage systems.Generating backup versions of data volumes may need access to the datavolume in order to perform. However, consistency schemes may limit theability for backup operations to perform if, for instance, anothersystem operation or the storage client itself is accessing the datavolume. Alternatively, storage client operations may be blocked ordelayed while backup operations are performed. Neither the delay ofbackup operations or client operations is ideal, and may reduce overalldata storage performance and reliability.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a logical block diagram illustrating continuous backup of datain a distributed data store, according to some embodiments.

FIG. 2 is a block diagram illustrating a service system architecturethat may be configured to implement a network-based database service anda network-based distributed storage service that utilizes continuousbackup of data stored for the database service in the network-baseddistributed storage service, according to some embodiments.

FIG. 3 is a block diagram illustrating various components of a databasesystem that includes a database engine and a separate distributedstorage service, according to some embodiments.

FIG. 4 is a block diagram illustrating a distributed storage system andbackup and restore service for the distributed storage system, accordingto some embodiments.

FIG. 5 is a block diagram illustrating the use of a separate distributedstorage system in a database system, according to some embodiments.

FIG. 6 is a logical block diagram illustrating a backup node, accordingto some embodiments.

FIG. 7 is a logical block diagram illustrating a restore node, accordingto some embodiments.

FIG. 8 is a block diagram illustrating how data and metadata may bestored on a storage node of a distributed storage system, according tosome embodiments.

FIG. 9 is a block diagram illustrating an example configuration of adata volume, according to some embodiments.

FIG. 10 is a high-level flowchart illustrating methods and techniques toimplement continuous backup of data in a distributed data store,according to some embodiments.

FIG. 11 is a high-level flowchart illustrating methods and techniques todetect changes in configuration of data and adapt continuous backup forthe data in a distributed data store, according to some embodiments.

FIG. 12 is a high-level flowchart illustrating methods and techniques toimplement generating a full-backup version of data in a backup datastore, according to some embodiments.

FIG. 13 is an example computer system, according to various embodiments.

While embodiments are described herein by way of example for severalembodiments and illustrative drawings, those skilled in the art willrecognize that the embodiments are not limited to the embodiments ordrawings described. It should be understood, that the drawings anddetailed description thereto are not intended to limit embodiments tothe particular form disclosed, but on the contrary, the intention is tocover all modifications, equivalents and alternatives falling within thespirit and scope as defined by the appended claims. The headings usedherein are for organizational purposes only and are not meant to be usedto limit the scope of the description or the claims. As used throughoutthis application, the word “may” is used in a permissive sense (i.e.,meaning having the potential to), rather than the mandatory sense (i.e.,meaning must). The words “include,” “including,” and “includes” indicateopen-ended relationships and therefore mean including, but not limitedto. Similarly, the words “have,” “having,” and “has” also indicateopen-ended relationships, and thus mean having, but not limited to. Theterms “first,” “second,” “third,” and so forth as used herein are usedas labels for nouns that they precede, and do not imply any type ofordering (e.g., spatial, temporal, logical, etc.) unless such anordering is otherwise explicitly indicated.

Various components may be described as “configured to” perform a task ortasks. In such contexts, “configured to” is a broad recitation generallymeaning “having structure that” performs the task or tasks duringoperation. As such, the component can be configured to perform the taskeven when the component is not currently performing that task (e.g., acomputer system may be configured to perform operations even when theoperations are not currently being performed). In some contexts,“configured to” may be a broad recitation of structure generally meaning“having circuitry that” performs the task or tasks during operation. Assuch, the component can be configured to perform the task even when thecomponent is not currently on. In general, the circuitry that forms thestructure corresponding to “configured to” may include hardwarecircuits.

Various components may be described as performing a task or tasks, forconvenience in the description. Such descriptions should be interpretedas including the phrase “configured to.” Reciting a component that isconfigured to perform one or more tasks is expressly intended not toinvoke 35 U.S.C. § 112(f), interpretation for that component.

“Based On.” As used herein, this term is used to describe one or morefactors that affect a determination. This term does not forecloseadditional factors that may affect a determination. That is, adetermination may be solely based on those factors or based, at least inpart, on those factors. Consider the phrase “determine A based on B.”While B may be a factor that affects the determination of A, such aphrase does not foreclose the determination of A from also being basedon C. In other instances, A may be determined based solely on B.

The scope of the present disclosure includes any feature or combinationof features disclosed herein (either explicitly or implicitly), or anygeneralization thereof, whether or not it mitigates any or all of theproblems addressed herein. Accordingly, new claims may be formulatedduring prosecution of this application (or an application claimingpriority thereto) to any such combination of features. In particular,with reference to the appended claims, features from dependent claimsmay be combined with those of the independent claims and features fromrespective independent claims may be combined in any appropriate mannerand not merely in the specific combinations enumerated in the appendedclaims.

DETAILED DESCRIPTION

Various embodiments of providing volume recovery access in a distributeddata store for multiple recovery agents are described herein. Adistributed data store may provide storage for various storage clients.These storage clients may include many different types of applicationsor services which rely upon the distributed data store to providereliable and consistent access to stored data (which may be referred toherein as a “data volume”). For example, a database system, such asdescribed below with regard to FIGS. 2-9 may utilize a distributed datastore as the backend storage for a database. According to the needs ofapplications and services that rely upon the distributed data store, adistributed data store may be configured to provide varying types ofbackup versions of a data volume that may be accessed and/or restored(e.g., in the event of a failure or erroneous change to the data volumeto be undone). For instance, backup versions of a data volume may beassociated with different points in time so that a deserved version ofthe data volume at a particular time may be generated (e.g., to rollback certain changes or events to the data volume).

Generally, the more backup versions of a data volume retained atdifferent points in time, the greater the likelihood a backup version ofthe data volume exists in desired state. However, operations to generatebackup versions of a data volume can interrupt the performanceforeground operations, such as I/O operations to write new or modifydata in the data volume or read data from the data volume. Oftentimes,operations to generate a backup version of a data volume completely haltor block I/O operations, so that a consistent version of the data volumemay be backed up. Continuous backup of data in a distributed data storemay leverage the replication scheme of a data store, such as apeer-to-peer replication scheme, so that updates to a data volume may bereplicated to a backup version of the data volume without interruptingor blocking performance of I/O to the data volume.

FIG. 1 is a logical block diagram illustrating continuous backup of datain a distributed data store, according to some embodiments. Writer 110may be a client or other system, component or device with rights toaccess data stored in distributed data store 100. Distributed data store100 may maintain the data across multiple storage nodes, such as storagenodes 120 a, 120 b, 120 c, and 120 d, in order to maintain multiplereplicas of the data. In order to ensure that changes to the data areconsistently made across the storage nodes 120, a peer-to-peer updatereplication scheme 124 may be implemented so that changes made to thedata at one storage node (e.g., at storage node 120 a) are discovered orcommunicated to other storage nodes (e.g., storage nodes 120 b, 120 c,and 120 d) which did not receive the changes to the data directly. Datastore 130 may be a separate data store (e.g., implemented as part of aseparate storage system or service) that maintains backup version ofdata 132 separate from the data in distributed data store 100.

As illustrated in FIG. 1, writer 110 may perform various updates 112 tochange, add, modify, and/or remove data (or representations of thechanges to be made to the data, such as the redo log records discussedbelow with respect to FIGS. 2-9), stored in distributed data store 100.Updates 112 may be directed to one or multiples ones of the storagenodes 120 (e.g., according to a quorum model such that a minimum numberof storage nodes out of a group of storage nodes may acknowledge anupdate 112 before that update 112 is considered durable by writer 110).Storage nodes 120 that receive the updates 112 may allow other storagenodes to discover the updates via peer-to-peer update replication 124.For example, peer-to-peer update replication may be implemented as agossip-based protocol where storage nodes that receive an updateforward, send, or otherwise share the update with other storage nodes.In some embodiments, peer-to-peer update replication may allow otherstorage nodes to ask about the state of data on another storage node,including any changes that have been made to the data, and ask forcopies of the changes to the data. In this way, storage nodes mayutilize peer-to-peer update replication 124 to proactively or passivelylearn about updates 112.

Backup node 122 may be implemented so as to participate in peer-to-peerupdate replication 124. For example, backup node 122 may be identifiedby other storage nodes 120 as a storage node peer that is sent updatesreceived at storage nodes 120. Backup node 122 may send peer-to-peerrequests to ask about the state of the data on a storage node (e.g.,storage node 120 c) to determine whether storage node 120 c has receivedany updates 112 about which the backup node is unaware. Based on variousindications and other information shared with backup node 122 viapeer-to-peer update replication, backup node 122 may obtain updates 112that have made to data. Backup node 122 may then apply the updates 134to backup version(s) of data 132 in a separate data store 130. In thisway backup operations to obtain updates 112 are non-disruptive to theapplication of new updates 112 (or other I/O operations such as requeststo read data), and may appear, from the perspective of a clients of thedistributed data store 100 and from the perspective of the distributeddata store as another “storage node” participating in the replication ofupdates 112. Moreover, updates may be continuously applied to a backupversion so that multiple versions of data can be maintained (e.g., asmay be described by a log of updates) and the backup version of data 132is close to the current state of the data (minimizing potential dataloss in the event of a failure at distributed data store).

Backup node 122 may also dynamically detect and adapt backup operationsto respond to changes in the configuration of data as it is stored indistributed data store 100. For example, a data volume may be stored inmultiple different extents (e.g., as discussed below with regard to FIG.9) that are replicated amongst multiple storage nodes that make up aprotection group for each extent. Member nodes of protection groups maychange (e.g., due to failures, reassignments, etc.), and backup node 122may detect these changes when communicating with storage nodes in aprotection group (e.g., utilizing the same detection mechanisms thatmember nodes use). Backup nodes 122 may also determine dataconfiguration changes when the size of data changes (e.g., expands) toensure that peer-to-peer replication with additional storage nodesstoring the expanded data is participated in/observed as well. Eventsthat change the configuration of data, such as recovery operations todetermine a consistent state of data in the event of writer or datastore failures may also be detected by backup node 122.

Please note, FIG. 1 is provided as a logical illustration of adistributed data store providing continuous backup of data, and is notintended to be limiting as to the physical arrangement, size, or numberof components, modules, or devices, such as the number of backup nodes,implementing a distributed data store, writer, peer-to-peer replication,or a separate data store maintaining backup data versions.

The specification first describes an example of a distributed data storeas a distributed storage service, according to various embodiments. Theexample distributed storage service may store data for many differenttypes of clients, in various embodiments. One such client may be anetwork-based database service, described in further detail below.Included in the description of the example network-based databaseservice are various aspects of the example network-based databaseservice along with the various interactions between the databaseservice, the distributed storage service, and a separate data storemaintaining backup versions of data volumes in the distributed storageservice. The specification then describes a flowchart of variousembodiments of methods for continuous backup for data in a distributeddata store. Next, the specification describes an example system that mayimplement the disclosed techniques. Various examples are providedthroughout the specification.

The systems described herein may, in some embodiments, implement anetwork-based service that enables clients (e.g., subscribers) tooperate a data storage system in a cloud computing environment. In someembodiments, the data storage system may be an enterprise-class databasesystem that is highly scalable and extensible. In some embodiments,queries may be directed to database storage that is distributed acrossmultiple physical resources, and the database system may be scaled up ordown on an as needed basis. The database system may work effectivelywith database schemas of various types and/or organizations, indifferent embodiments. In some embodiments, clients/subscribers maysubmit queries in a number of ways, e.g., interactively via an SQLinterface to the database system. In other embodiments, externalapplications and programs may submit queries using Open DatabaseConnectivity (ODBC) and/or Java Database Connectivity (JDBC) driverinterfaces to the database system.

More specifically, the systems described herein may, in someembodiments, implement a service-oriented architecture in which variousfunctional components of a single database system are intrinsicallydistributed. For example, rather than lashing together multiple completeand monolithic database instances (each of which may include extraneousfunctionality, such as an application server, search functionality, orother functionality beyond that required to provide the core functionsof a database), these systems may organize the basic operations of adatabase (e.g., query processing, transaction management, caching andstorage) into tiers that may be individually and independently scalable.For example, in some embodiments, each database instance in the systemsdescribed herein may include a database tier (which may include a singledatabase engine head node and a client-side storage system driver), aseparate, distributed storage system (which may include multiple storagenodes that collectively perform some of the operations traditionallyperformed in the database tier of existing systems), and a backupstorage tier.

As described in more detail herein, in some embodiments, some of thelowest level operations of a database, (e.g., backup, restore, recovery,log record manipulation, and/or various space management operations) maybe offloaded from the database engine to the storage layer (or tier),such as a distributed storage system, and distributed across multiplenodes and storage devices. For example, in some embodiments, rather thanthe database engine applying changes to a database (or data pagesthereof) and then sending the modified data pages to the storage layer,the application of changes to the stored database (and data pagesthereof) may be the responsibility of the storage layer itself. In suchembodiments, redo log records, rather than modified data pages, may besent to the storage layer, after which redo processing (e.g., theapplication of the redo log records) may be performed somewhat lazilyand in a distributed manner (e.g., by a background process). Logsequence numbers may be assigned to the redo log records from a logsequence number space. In some embodiments, crash recovery (e.g., therebuilding of data pages from stored redo log records) may also beperformed by the storage layer and may also be performed by adistributed (and, in some cases, lazy) background process. In someembodiments, the storage layer may maintain backup versions of datavolumes in a separate storage system (e.g., another storage serviceimplemented as part of network-based services platform 200) byleveraging peer-to-peer replication among storage nodes to identify andobtain new updates to data volumes for inclusion in backup versions.

In some embodiments, because only redo logs (and not modified datapages) are sent to the storage layer, there may be much less networktraffic between the database tier and the storage layer than in existingdatabase systems. In some embodiments, each redo log may be on the orderof one-tenth the size of the corresponding data page for which itspecifies a change. Note that requests sent from the database tier andthe distributed storage system may be asynchronous and that multiplesuch requests may be in flight at a time.

In general, after being given a piece of data, a primary requirement ofa database is that it can eventually give that piece of data back. To dothis, the database may include several different components (or tiers),each of which performs a different function. For example, a traditionaldatabase may be thought of as having three tiers: a first tier forperforming query parsing, optimization and execution; a second tier forproviding transactionality, recovery, and durability; and a third tierthat provides storage, either on locally attached disks or onnetwork-attached storage. As noted above, previous attempts to scale atraditional database have typically involved replicating all three tiersof the database and distributing those replicated database instancesacross multiple machines.

In some embodiments, the systems described herein may partitionfunctionality of a database system differently than in a traditionaldatabase, and may distribute only a subset of the functional components(rather than a complete database instance) across multiple machines inorder to implement scaling. For example, in some embodiments, aclient-facing tier may be configured to receive a request specifyingwhat data is to be stored or retrieved, but not how to store or retrievethe data. This tier may perform request parsing and/or optimization(e.g., SQL parsing and optimization), while another tier may beresponsible for query execution. In some embodiments, a third tier maybe responsible for providing transactionality and consistency ofresults. For example, this tier may be configured to enforce some of theso-called ACID properties, in particular, the Atomicity of transactionsthat target the database, maintaining Consistency within the database,and ensuring Isolation between the transactions that target thedatabase. In some embodiments, a fourth tier may then be responsible forproviding Durability of the stored data in the presence of various sortsof faults. For example, this tier may be responsible for change logging,recovery from a database crash, managing access to the underlyingstorage volumes and/or space management in the underlying storagevolumes.

In various embodiments, a database instance may include multiplefunctional components (or layers), each of which provides a portion ofthe functionality of the database instance. In one such example, adatabase instance may include a query parsing and query optimizationlayer, a query execution layer, a transactionality and consistencymanagement layer, and a durability and space management layer. As notedabove, in some existing database systems, scaling a database instancemay involve duplicating the entire database instance one or more times(including all of the example layers), and then adding glue logic tostitch them together. In some embodiments, the systems described hereinmay instead offload the functionality of durability and space managementlayer from the database tier to a separate storage layer, and maydistribute that functionality across multiple storage nodes in thestorage layer.

In some embodiments, the database systems described herein may retainmuch of the structure of the upper half of the database instance, suchas query parsing and query optimization layer, a query execution layer,and a transactionality and consistency management layer, but mayredistribute responsibility for at least portions of the backup,restore, snapshot, recovery, and/or various space management operationsto the storage tier. Redistributing functionality in this manner andtightly coupling log processing between the database tier and thestorage tier may improve performance, increase availability and reducecosts, when compared to previous approaches to providing a scalabledatabase. For example, network and input/output bandwidth requirementsmay be reduced, since only redo log records (which are much smaller insize than the actual data pages) may be shipped across nodes orpersisted within the latency path of write operations. In addition, thegeneration of data pages can be done independently in the background oneach storage node (as foreground processing allows), without blockingincoming write operations. In some embodiments, the use oflog-structured, non-overwrite storage may allow backup, restore,snapshots, point-in-time recovery, and volume growth operations to beperformed more efficiently, e.g., by using metadata manipulation ratherthan movement or copying of a data page. In some embodiments, thestorage layer may also assume the responsibility for the replication ofdata stored on behalf of clients (and/or metadata associated with thatdata, such as redo log records) across multiple storage nodes. Forexample, data (and/or metadata) may be replicated locally (e.g., withina single “availability zone” in which a collection of storage nodesexecutes on its own physically distinct, independent infrastructure)and/or across availability zones in a single region or in differentregions.

In various embodiments, the database systems described herein maysupport a standard or custom application programming interface (API) fora variety of database operations. For example, the API may supportoperations for creating a database, creating a table, altering a table,creating a user, dropping a user, inserting one or more rows in a table,copying values, selecting data from within a table (e.g., querying atable), canceling or aborting a query, creating a snapshot, and/or otheroperations.

In some embodiments, the database tier of a database instance mayinclude a database engine head node server that receives read and/orwrite requests from various client programs (e.g., applications) and/orsubscribers (users), then parses them and develops an execution plan tocarry out the associated database operation(s). For example, thedatabase engine head node may develop the series of steps necessary toobtain results for complex queries and joins. In some embodiments, thedatabase engine head node may manage communications between the databasetier of the database system and clients/subscribers, as well ascommunications between the database tier and a separate distributedstorage system.

In some embodiments, the database engine head node may be responsiblefor receiving SQL requests from end clients through a JDBC or ODBCinterface and for performing SQL processing and transaction management(which may include locking) locally. However, rather than generatingdata pages locally, the database engine head node (or various componentsthereof) may generate redo log records and may ship them to theappropriate nodes of a separate distributed storage system. In someembodiments, a client-side driver for the distributed storage system maybe hosted on the database engine head node and may be responsible forrouting redo log records to the storage system node (or nodes) thatstore the segments (or data pages thereof) to which those redo logrecords are directed. For example, in some embodiments, each segment maybe mirrored (or otherwise made durable) on multiple storage system nodesthat form a protection group. In such embodiments, the client-sidedriver may keep track of the nodes on which each segment is stored andmay route redo logs to all of the nodes on which a segment is stored(e.g., asynchronously and in parallel, at substantially the same time),when a client request is received. As soon as the client-side driverreceives an acknowledgement back from a write quorum of the storagenodes in the protection group (which may indicate that the redo logrecord has been written to the storage node), it may send anacknowledgement of the requested change to the database tier (e.g., tothe database engine head node). For example, in embodiments in whichdata is made durable through the use of protection groups, the databaseengine head node may not be able to commit a transaction until andunless the client-side driver receives a reply from enough storage nodeinstances to constitute a write quorum, as may be defined in aprotection group policy for the data.

In some embodiments, the database tier (or more specifically, thedatabase engine head node) may include a cache in which recentlyaccessed data pages are held temporarily. In such embodiments, if awrite request is received that targets a data page held in such a cache,in addition to shipping a corresponding redo log record to the storagelayer, the database engine may apply the change to the copy of the datapage held in its cache. However, unlike in other database systems, adata page held in this cache may not ever be flushed to the storagelayer, and it may be discarded at any time (e.g., at any time after theredo log record for a write request that was most recently applied tothe cached copy has been sent to the storage layer and acknowledged).The cache may implement any of various locking mechanisms to controlaccess to the cache by at most one writer (or multiple readers) at atime, in different embodiments. Note, however, that in embodiments thatinclude such a cache, the cache may not be distributed across multiplenodes, but may exist only on the database engine head node for a givendatabase instance. Therefore, there may be no cache coherency orconsistency issues to manage.

In some embodiments, the database tier may support the use ofsynchronous or asynchronous read replicas in the system, e.g., read-onlycopies of data on different nodes of the database tier to which readrequests can be routed. In such embodiments, if the database engine headnode for a given database receives a read request directed to aparticular data page, it may route the request to any one (or aparticular one) of these read-only copies. In some embodiments, theclient-side driver in the database engine head node may be configured tonotify these other nodes about updates and/or invalidations to cacheddata pages (e.g., in order to prompt them to invalidate their caches,after which they may request updated copies of updated data pages fromthe storage layer).

In some embodiments, the client-side driver running on the databaseengine head node may expose a private interface to the storage tier. Insome embodiments, it may also expose a traditional iSCSI interface toone or more other components (e.g., other database engines or virtualcomputing services components). In some embodiments, storage for adatabase instance in the storage tier may be modeled as a single volumethat can grow in size without limits, and that can have an unlimitednumber of IOPS associated with it. When a volume is created, it may becreated with a specific size, with a specific availability/durabilitycharacteristic (e.g., specifying how it is replicated), and/or with anIOPS rate associated with it (e.g., both peak and sustained). Forexample, in some embodiments, a variety of different durability modelsmay be supported, and users/subscribers may be able to specify, fortheir database, a number of replication copies, zones, or regions and/orwhether replication is synchronous or asynchronous based upon theirdurability, performance and cost objectives.

In some embodiments, the client side driver may maintain metadata aboutthe volume and may directly send asynchronous requests to each of thestorage nodes necessary to fulfill read requests and write requestswithout requiring additional hops between storage nodes. The volumemetadata may indicate which protection groups, and their respectivestorage nodes, maintain which partitions of the volume. For example, insome embodiments, in response to a request to make a change to adatabase, the client-side driver may be configured to determine theprotection group, and its one or more nodes that are implementing thestorage for the targeted data page, and to route the redo log record(s)specifying that change to those storage nodes. The storage nodes maythen be responsible for applying the change specified in the redo logrecord to the targeted data page at some point in the future. As writesare acknowledged back to the client-side driver, the client-side drivermay advance the point at which the volume is durable and may acknowledgecommits back to the database tier. As previously noted, in someembodiments, the client-side driver may not ever send data pages to thestorage node servers. This may not only reduce network traffic, but mayalso remove the need for the checkpoint or background writer threadsthat constrain foreground-processing throughput in previous databasesystems.

In some embodiments, many read requests may be served by the databaseengine head node cache. However, write requests may require durability,since large-scale failure events may be too common to allow onlyin-memory replication. Therefore, the systems described herein may beconfigured to minimize the cost of the redo log record write operationsthat are in the foreground latency path by implementing data storage inthe storage tier as two regions: a small append-only log-structuredregion into which redo log records are written when they are receivedfrom the database tier, and a larger region in which log records arecoalesced together to create new versions of data pages in thebackground. In some embodiments, an in-memory structure may bemaintained for each data page that points to the last redo log recordfor that page, backward chaining log records until an instantiated datablock is referenced. This approach may provide good performance formixed read-write workloads, including in applications in which reads arelargely cached.

In some embodiments, because accesses to the log-structured data storagefor the redo log records may consist of a series of sequentialinput/output operations (rather than random input/output operations),the changes being made may be tightly packed together. It should also benoted that, in contrast to existing systems in which each change to adata page results in two input/output operations to persistent datastorage (one for the redo log and one for the modified data pageitself), in some embodiments, the systems described herein may avoidthis “write amplification” by coalescing data pages at the storage nodesof the distributed storage system based on receipt of the redo logrecords.

One embodiment of a service system architecture that may be configuredto implement a network-based services-based database service isillustrated in FIG. 2. In the illustrated embodiment, a number ofclients (shown as clients 250 a-250 n) may be configured to interactwith a network-based services platform 200 via a network 260.Network-based services platform 200 may be configured to interface withone or more instances of a database service 210, a distributed storageservice 220 and/or one or more other virtual computing services 230.Distributed storage service may be implemented as log-structured storageusing a single log sequence number space. It is noted that where one ormore instances of a given component may exist, reference to thatcomponent herein may be made in either the singular or the plural.However, usage of either form is not intended to preclude the other.

In various embodiments, the components illustrated in FIG. 2 may beimplemented directly within computer hardware, as instructions directlyor indirectly executable by computer hardware (e.g., a microprocessor orcomputer system), or using a combination of these techniques. Forexample, the components of FIG. 2 may be implemented by a system thatincludes a number of computing nodes (or simply, nodes), each of whichmay be similar to the computer system embodiment illustrated in FIG. 13and described below. In various embodiments, the functionality of agiven service system component (e.g., a component of the databaseservice or a component of the storage service) may be implemented by aparticular node or may be distributed across several nodes. In someembodiments, a given node may implement the functionality of more thanone service system component (e.g., more than one database servicesystem component).

Generally speaking, clients 250 may encompass any type of clientconfigurable to submit network-based services requests to network-basedservices platform 200 via network 260, including requests for databaseservices (e.g., a request to generate a restored version of a datavolume at a particular point in time, etc.). For example, a given client250 may include a suitable version of a web browser, or may include aplug-in module or other type of code module configured to execute as anextension to or within an execution environment provided by a webbrowser. Alternatively, a client 250 (e.g., a database service client)may encompass an application such as a database application (or userinterface thereof), a media application, an office application or anyother application that may make use of persistent storage resources tostore and/or access one or more databases. In some embodiments, such anapplication may include sufficient protocol support (e.g., for asuitable version of Hypertext Transfer Protocol (HTTP)) for generatingand processing network-based services requests without necessarilyimplementing full browser support for all types of network-based data.That is, client 250 may be an application configured to interactdirectly with network-based services platform 200. In some embodiments,client 250 may be configured to generate network-based services requestsaccording to a Representational State Transfer (REST)-stylenetwork-based services architecture, a document- or message-basednetwork-based services architecture, or another suitable network-basedservices architecture.

In some embodiments, a client 250 (e.g., a database service client) maybe configured to provide access to network-based services-based storageof databases to other applications in a manner that is transparent tothose applications. For example, client 250 may be configured tointegrate with an operating system or file system to provide storage inaccordance with a suitable variant of the storage models describedherein. However, the operating system or file system may present adifferent storage interface to applications, such as a conventional filesystem hierarchy of files, directories and/or folders. In such anembodiment, applications may not need to be modified to make use of thestorage system service model. Instead, the details of interfacing tonetwork-based services platform 200 may be coordinated by client 250 andthe operating system or file system on behalf of applications executingwithin the operating system environment.

Clients 250 may convey network-based services requests (e.g., a restorevolume request, parameters of a restore volume request, read request,restore a version of data volume, etc.) to and receive responses fromnetwork-based services platform 200 via network 260. In variousembodiments, network 260 may encompass any suitable combination ofnetworking hardware and protocols necessary to establishnetwork-based-based communications between clients 250 and platform 200.For example, network 260 may generally encompass the varioustelecommunications networks and service providers that collectivelyimplement the Internet. Network 260 may also include private networkssuch as local area networks (LANs) or wide area networks (WANs) as wellas public or private wireless networks. For example, both a given client250 and network-based services platform 200 may be respectivelyprovisioned within enterprises having their own internal networks. Insuch an embodiment, network 260 may include the hardware (e.g., modems,routers, switches, load balancers, proxy servers, etc.) and software(e.g., protocol stacks, accounting software, firewall/security software,etc.) necessary to establish a networking link between given client 250and the Internet as well as between the Internet and network-basedservices platform 200. It is noted that in some embodiments, clients 250may communicate with network-based services platform 200 using a privatenetwork rather than the public Internet. For example, clients 250 may beprovisioned within the same enterprise as a database service system(e.g., a system that implements database service 210 and/or distributedstorage service 220). In such a case, clients 250 may communicate withplatform 200 entirely through a private network 260 (e.g., a LAN or WANthat may use Internet-based communication protocols but which is notpublicly accessible).

Generally speaking, network-based services platform 200 may beconfigured to implement one or more service endpoints configured toreceive and process network-based services requests, such as requests toaccess data pages (or records thereof). For example, network-basedservices platform 200 may include hardware and/or software configured toimplement a particular endpoint, such that an HTTP-based network-basedservices request directed to that endpoint is properly received andprocessed. In one embodiment, network-based services platform 200 may beimplemented as a server system configured to receive network-basedservices requests from clients 250 and to forward them to components ofa system that implements database service 210, distributed storageservice 220 and/or another virtual computing service 230 for processing(e.g. another data storage service, such as an object data store whichmay store data objects that make up a backup version data volumes storedin the distributed storage service 2200. In other embodiments,network-based services platform 200 may be configured as a number ofdistinct systems (e.g., in a cluster topology) implementing loadbalancing and other request management features configured todynamically manage large-scale network-based services request processingloads. In various embodiments, network-based services platform 200 maybe configured to support REST-style or document-based (e.g., SOAP-based)types of network-based services requests.

In addition to functioning as an addressable endpoint for clients'network-based services requests, in some embodiments, network-basedservices platform 200 may implement various client management features.For example, platform 200 may coordinate the metering and accounting ofclient usage of network-based services, including storage resources,such as by tracking the identities of requesting clients 250, the numberand/or frequency of client requests, the size of data tables (or recordsthereof) stored or retrieved on behalf of clients 250, overall storagebandwidth used by clients 250, class of storage requested by clients250, or any other measurable client usage parameter. Platform 200 mayalso implement financial accounting and billing systems, or may maintaina database of usage data that may be queried and processed by externalsystems for reporting and billing of client usage activity. In certainembodiments, platform 200 may be configured to collect, monitor and/oraggregate a variety of storage service system operational metrics, suchas metrics reflecting the rates and types of requests received fromclients 250, bandwidth utilized by such requests, system processinglatency for such requests, system component utilization (e.g., networkbandwidth and/or storage utilization within the storage service system),rates and types of errors resulting from requests, characteristics ofstored and requested data pages or records thereof (e.g., size, datatype, etc.), or any other suitable metrics. In some embodiments suchmetrics may be used by system administrators to tune and maintain systemcomponents, while in other embodiments such metrics (or relevantportions of such metrics) may be exposed to clients 250 to enable suchclients to monitor their usage of database service 210, distributedstorage service 220 and/or another virtual computing service 230 (or theunderlying systems that implement those services).

In some embodiments, network-based services platform 200 may alsoimplement user authentication and access control procedures. Forexample, for a given network-based services request to access aparticular database, platform 200 may be configured to ascertain whetherthe client 250 associated with the request is authorized to access theparticular database. Platform 200 may determine such authorization by,for example, evaluating an identity, password or other credentialagainst credentials associated with the particular database, orevaluating the requested access to the particular database against anaccess control list for the particular database. For example, if aclient 250 does not have sufficient credentials to access the particulardatabase, platform 200 may reject the corresponding network-basedservices request, for example by returning a response to the requestingclient 250 indicating an error condition. Various access controlpolicies may be stored as records or lists of access control informationby database service 210, distributed storage service 220 and/or othervirtual computing services 230.

It is noted that while network-based services platform 200 may representthe primary interface through which clients 250 may access the featuresof a database system that implements database service 210, it need notrepresent the sole interface to such features. For example, an alternateAPI that may be distinct from a network-based services interface may beused to allow clients internal to the enterprise providing the databasesystem to bypass network-based services platform 200. Note that in manyof the examples described herein, distributed storage service 220 may beinternal to a computing system or an enterprise system that providesdatabase services to clients 250, and may not be exposed to externalclients (e.g., users or client applications). In such embodiments, theinternal “client” (e.g., database service 210) may access distributedstorage service 220 over a local or private network, shown as the solidline between distributed storage service 220 and database service 210(e.g., through an API directly between the systems that implement theseservices). In such embodiments, the use of distributed storage service220 in storing databases on behalf of clients 250 may be transparent tothose clients. In other embodiments, distributed storage service 220 maybe exposed to clients 250 through network-based services platform 200 toprovide storage of databases or other information for applications otherthan those that rely on database service 210 for database management.This is illustrated in FIG. 2 by the dashed line between network-basedservices platform 200 and distributed storage service 220. In suchembodiments, clients of the distributed storage service 220 may accessdistributed storage service 220 via network 260 (e.g., over theInternet). In some embodiments, a virtual computing service 230 may beconfigured to receive storage services from distributed storage service220 (e.g., through an API directly between the virtual computing service230 and distributed storage service 220) to store objects used inperforming computing services 230 on behalf of a client 250. This isillustrated in FIG. 2 by the dashed line between virtual computingservice 230 and distributed storage service 220. In some cases, theaccounting and/or credentialing services of platform 200 may beunnecessary for internal clients such as administrative clients orbetween service components within the same enterprise.

Although not illustrated, in various embodiments distributed storageservice 220 may be configured to interface with backup data store,system, service, or device. Various data, such as data pages, logrecords, and/or any other data maintained by distributed storage serviceinternal clients, such as database service 210 or other virtualcomputing services 230, and/or external clients such as clients 250 athrough 250 n, may be sent to a backup data store.

Note that in various embodiments, different storage policies may beimplemented by database service 210 and/or distributed storage service220. Examples of such storage policies may include a durability policy(e.g., a policy indicating the number of instances of a database (ordata page thereof) that will be stored and the number of different nodeson which they will be stored) and/or a load balancing policy (which maydistribute databases, or data pages thereof, across different nodes,volumes and/or disks in an attempt to equalize request traffic). Inaddition, different storage policies may be applied to different typesof stored items by various one of the services. For example, in someembodiments, distributed storage service 220 may implement a higherdurability for redo log records than for data pages.

FIG. 3 is a block diagram illustrating various components of a databasesystem that includes a database engine and a separate distributeddatabase storage service, according to one embodiment. In this example,database system 300 includes a respective database engine head node 320for each of several databases and a distributed storage service 310(which may or may not be visible to the clients of the database system,shown as database clients 350 a-350 n). As illustrated in this example,one or more of database clients 350 a-350 n may access a database headnode 320 (e.g., head node 320 a, head node 320 b, or head node 320 c,each of which is a component of a respective database instance) vianetwork 360 (e.g., these components may be network-addressable andaccessible to the database clients 350 a-350 n). However, distributedstorage service 310, which may be employed by the database system tostore a database volume (such as data pages of one or more databases, aswell as redo log records and/or other metadata associated therewith) onbehalf of database clients 350 a-350 n, and to perform other functionsof the database system as described herein, may or may not benetwork-addressable and accessible to the storage clients 350 a-350 n,in different embodiments. For example, in some embodiments, distributedstorage service 310 may perform various storage, access, change logging,recovery, log record manipulation, and/or space management operations ina manner that is invisible to storage clients 350 a-350 n.

As previously noted, each database instance may include a singledatabase engine head node 320 that receives requests (e.g., a restorevolume request, etc.) from various client programs (e.g., applications)and/or subscribers (users), then parses them, optimizes them, anddevelops an execution plan to carry out the associated databaseoperation(s). In the example illustrated in FIG. 3, a query parsing,optimization, and execution component 305 of database engine head node320 a may perform these functions for queries that are received fromdatabase client 350 a and that target the database instance of whichdatabase engine head node 320 a is a component. In some embodiments,query parsing, optimization, and execution component 305 may returnquery responses to database client 350 a, which may include writeacknowledgements, requested data pages (or portions thereof), errormessages, and or other responses, as appropriate. As illustrated in thisexample, database engine head node 320 a may also include a client-sidestorage service driver 325, which may route read requests and/or redolog records to various storage nodes within distributed storage service310, receive write acknowledgements from distributed storage service310, receive requested data pages from distributed storage service 310,and/or return data pages, error messages, or other responses to queryparsing, optimization, and execution component 305 (which may, in turn,return them to database client 350 a). Client-side storage device maymaintain mapping information about the database volume stored indistributed storage service 310, such that a particular protection groupmaintaining a partition of the database volume may be determined. Readrequests and redo log records may then be routed to storage nodes thatare members of the protection group according to the partition of userdata to which the read request is directed or to which the redo logrecord pertains.

In this example, database engine head node 320 a includes a data pagecache 335, in which data pages that were recently accessed may betemporarily held. As illustrated in FIG. 3, database engine head node320 a may also include a transaction and consistency managementcomponent 330, which may be responsible for providing transactionalityand consistency in the database instance of which database engine headnode 320 a is a component. For example, this component may beresponsible for ensuring the Atomicity, Consistency, and Isolationproperties of the database instance and the transactions that aredirected that the database instance. As illustrated in FIG. 3, databaseengine head node 320 a may also include a transaction log 340 and anundo log 345, which may be employed by transaction and consistencymanagement component 330 to track the status of various transactions androll back any locally cached results of transactions that do not commit.

Note that each of the other database engine head nodes 320 illustratedin FIG. 3 (e.g., 320 b and 320 c) may include similar components and mayperform similar functions for queries received by one or more ofdatabase clients 350 a-350 n and directed to the respective databaseinstances of which it is a component.

In some embodiments, the distributed storage systems described hereinmay organize data in various logical data volumes, extents (which mayinclude partitions of the user data space in the volume and asegmentation of the log for the volume) made durable among a protectiongroup of storage nodes, segments (which may be data stored on anindividual storage node of a protection group) and pages for storage onone or more storage nodes. For example, in some embodiments, eachdatabase is represented by a logical volume, and each logical volume ispartitioned over a collection of storage nodes into extents. Aprotection group may be composed of different storage nodes in thedistributed storage service that together make an extent durable.Multiple segments, each of which lives on a particular one of thestorage nodes in a protection group, are used to make the extentdurable.

In some embodiments, each data page is stored in a segment, such thateach segment stores a collection of one or more data pages and a changelog (also referred to as a redo log) (e.g., a log of redo log records)for each data page that it stores. Thus, change logs may be log recordssegmented to the protection group of which the segment is a member. Asdescribed in detail herein, the storage nodes may be configured toreceive redo log records (which may also be referred to herein as ULRs)and to coalesce them to create new versions of the corresponding datapages and/or additional or replacement log records (e.g., lazily and/orin response to a request for a data page or a database crash). In someembodiments, data pages and/or change logs may be mirrored acrossmultiple storage nodes, according to a variable configuration, such asin a protection group (which may be specified by the client on whosebehalf the databases are being maintained in the database system). Forexample, in different embodiments, one, two, or three copies of the dataor change logs may be stored in each of one, two, or three differentavailability zones or regions, according to a default configuration, anapplication-specific durability preference, or a client-specifieddurability preference.

As used herein, the following terms may be used to describe theorganization of data by a distributed storage system, according tovarious embodiments.

Volume: A volume is a logical concept representing a highly durable unitof storage that a user/client/application of the storage systemunderstands. More specifically, a volume is a distributed store thatappears to the user/client/application as a single consistent orderedlog of write operations to various user pages of a database. Each writeoperation may be encoded in a User Log Record (ULR), which represents alogical, ordered mutation to the contents of a single user page withinthe volume. As noted above, a ULR may also be referred to herein as aredo log record. Each ULR may include a unique identifier (e.g., aLogical Sequence Number (LSN)) assigned from a log sequence numberspace. Each ULR may be persisted to one or more synchronous segments inthe log-structured distributed store that form a Protection Group (PG)maintaining the partition of user data space (i.e. extent) to which theupdate indicate by the log record pertains in order to provide highdurability and availability for the ULR. A volume may provide anLSN-type read/write interface for a variable-size contiguous range ofbytes.

In some embodiments, a volume may consist of multiple extents, each madedurable through a protection group. In such embodiments, a volume mayrepresent a unit of storage composed of a mutable contiguous sequence ofVolume Extents. Reads and writes that are directed to a volume may bemapped into corresponding reads and writes to the constituent volumeextents. In some embodiments, the size of a volume may be changed byadding or removing volume extents from the end of the volume.

Segment: A segment is a limited-durability unit of storage assigned to asingle storage node. Multiple segments may be implemented in aprotection group to persist an extent. More specifically, a segmentprovides limited best-effort durability (e.g., a persistent, butnon-redundant single point of failure that is a storage node) for aspecific fixed-size byte range of data. This data may in some cases be amirror of user-addressable data, or it may be other data, such as volumemetadata or erasure coded bits, in various embodiments. A given segmentmay live on exactly one storage node. Within a storage node, multiplesegments may live on each SSD, and each segment may be restricted to oneSSD (e.g., a segment may not span across multiple SSDs). In someembodiments, a segment may not be required to occupy a contiguous regionon an SSD; rather there may be an allocation map in each SSD describingthe areas that are owned by each of the segments. As noted above, aprotection group may consist of multiple segments spread across multiplestorage nodes. In some embodiments, a segment may provide an LSN-typeread/write interface for a fixed-size contiguous range of bytes (wherethe size is defined at creation). In some embodiments, each segment maybe identified by a Segment UUID (e.g., a universally unique identifierof the segment).

Storage page: A storage page is a block of memory, generally of fixedsize. In some embodiments, each page is a block of memory (e.g., ofvirtual memory, disk, or other physical memory) of a size defined by theoperating system, and may also be referred to herein by the term “datablock”. More specifically, a storage page may be a set of contiguoussectors. It may serve as the unit of allocation in SSDs, as well as theunit in log pages for which there is a header and metadata. In someembodiments, and in the context of the database systems describedherein, the term “page” or “storage page” may refer to a similar blockof a size defined by the database configuration, which may typically amultiple of 2, such as 4096, 8192, 16384, or 32768 bytes.

Log page: A log page is a type of storage page that is used to store logrecords (e.g., redo log records or undo log records). In someembodiments, log pages may be identical in size to storage pages. Eachlog page may include a header containing metadata about that log page,e.g., metadata identifying the segment to which it belongs. Note that alog page is a unit of organization and may not necessarily be the unitof data included in write operations. For example, in some embodiments,during normal forward processing, write operations may write to the tailof the log one sector at a time.

Log Records: Log records (e.g., the individual elements of a log page)may be of several different classes. For example, User Log Records(ULRs), which are created and understood by users/clients/applicationsof the storage system, may be used to indicate changes to user data in avolume. Log records may include metadata, such as pointers or backlinks, that indicate a previous LSN for log record maintained at aparticular segment and/or the previous LSN in the log sequence numberspace. Control Log Records (CLRs), which are generated by the storagesystem, may also contain control information used to keep track ofmetadata such as the current unconditional volume durable LSN (VDL).Null Log Records (NLRB) may in some embodiments be used as padding tofill in unused space in a log sector or log page. In some embodiments,there may be various types of log records within each of these classes,and the type of a log record may correspond to a function that needs tobe invoked to interpret the log record. For example, one type mayrepresent all the data of a user page in compressed format using aspecific compression format; a second type may represent new values fora byte range within a user page; a third type may represent an incrementoperation to a sequence of bytes interpreted as an integer; and a fourthtype may represent copying one byte range to another location within thepage. In some embodiments, log record types may be identified by GUIDs(rather than by integers or enums), which may simplify versioning anddevelopment, especially for ULRs.

Payload: The payload of a log record is the data or parameter valuesthat are specific to the log record or to log records of a particulartype. For example, in some embodiments, there may be a set of parametersor attributes that most (or all) log records include, and that thestorage system itself understands. These attributes may be part of acommon log record header/structure, which may be relatively smallcompared to the sector size. In addition, most log records may includeadditional parameters or data specific to that log record type, and thisadditional information may be considered the payload of that log record.In some embodiments, if the payload for a particular ULR is larger thanthe user page size, it may be replaced by an absolute ULR (an AULR)whose payload includes all the data for the user page. This may enablethe storage system to enforce an upper limit on the size of the payloadfor ULRs that is equal to the size of user pages.

Note that when storing log records in the segment log, the payload maybe stored along with the log header, in some embodiments. In otherembodiments, the payload may be stored in a separate location, andpointers to the location at which that payload is stored may be storedwith the log header. In still other embodiments, a portion of thepayload may be stored in the header, and the remainder of the payloadmay be stored in a separate location. If the entire payload is storedwith the log header, this may be referred to as in-band storage;otherwise the storage may be referred to as being out-of-band. In someembodiments, the payloads of most large AULRs may be stored out-of-bandin the cold zone of log (which is described below).

User pages: User pages are the byte ranges (of a fixed size) andalignments thereof for a particular volume that are visible tousers/clients of the storage system. User pages are a logical concept,and the bytes in particular user pages may or not be stored in anystorage page as-is. The size of the user pages for a particular volumemay be independent of the storage page size for that volume. In someembodiments, the user page size may be configurable per volume, anddifferent segments on a storage node may have different user page sizes.In some embodiments, user page sizes may be constrained to be a multipleof the sector size (e.g., 4 KB), and may have an upper limit (e.g., 64KB). The storage page size, on the other hand, may be fixed for anentire storage node and may not change unless there is a change to theunderlying hardware.

Data page: A data page is a type of storage page that is used to storeuser page data in compressed form. In some embodiments every piece ofdata stored in a data page is associated with a log record, and each logrecord may include a pointer to a sector within a data page (alsoreferred to as a data sector). In some embodiments, data pages may notinclude any embedded metadata other than that provided by each sector.There may be no relationship between the sectors in a data page.Instead, the organization into pages may exist only as an expression ofthe granularity of the allocation of data to a segment.

Storage node: A storage node is a single virtual machine that on whichstorage node server code is deployed. Each storage node may containmultiple locally attached SSDs, and may provide a network API for accessto one or more segments. In some embodiments, various nodes may be on anactive list or on a degraded list (e.g., if they are slow to respond orare otherwise impaired, but are not completely unusable). In someembodiments, the client-side driver may assist in (or be responsiblefor) classifying nodes as active or degraded, for determining if andwhen they should be replaced, and/or for determining when and how toredistribute data among various nodes, based on observed performance.Multiple storage nodes may together implement a protection group, insome embodiments.

SSD: As referred to herein, the term “SSD” may refer to a local blockstorage volume as seen by the storage node, regardless of the type ofstorage employed by that storage volume, e.g., disk, a solid-statedrive, a battery-backed RAM, a non-volatile RAM device (e.g., one ormore NV-DIMMs) or another type of persistent storage device. An SSD isnot necessarily mapped directly to hardware. For example, a singlesolid-state storage device might be broken up into multiple localvolumes where each volume is split into and striped across multiplesegments, and/or a single drive may be broken up into multiple volumessimply for ease of management, in different embodiments. In someembodiments, each SSD may store an allocation map at a single fixedlocation. This map may indicate which storage pages that are owned byparticular segments, and which of these pages are log pages (as opposedto data pages). In some embodiments, storage pages may be pre-allocatedto each segment so that forward processing may not need to wait forallocation. Any changes to the allocation map may need to be madedurable before newly allocated storage pages are used by the segments.

One embodiment of a distributed storage system is illustrated by theblock diagram in FIG. 4. In at least some embodiments, storage nodes430-450 may store data for different clients as part of a multi-tenantstorage service. For example, the various segments discussed above andbelow with regard to FIG. 9, may correspond to different protectiongroups and volumes for different clients.

In some embodiments, a database system 400 may be a client ofdistributed storage system 410, which communicates with a databaseengine head node 420 over interconnect 460. As in the exampleillustrated in FIG. 3, database engine head node 420 may include aclient-side storage service driver 425. In this example, distributedstorage system 410 includes multiple storage system server nodes(including those shown as 430, 440, and 450), each of which includesstorage for data pages and redo logs for the segment(s) it stores, andhardware and/or software configured to perform various segmentmanagement functions. For example, each storage system server node mayinclude hardware and/or software configured to perform at least aportion of any or all of the following operations: replication (locally,e.g., within the storage node), coalescing of redo logs to generate datapages, log management (e.g., manipulating log records), crash recovery(e.g., determining candidate log records for volume recovery), and/orspace management (e.g., for a segment). Each storage system server nodemay also have multiple attached storage devices (e.g., SSDs) on whichdata blocks may be stored on behalf of clients (e.g., users, clientapplications, and/or database service subscribers).

In the example illustrated in FIG. 4, storage system server node 430includes data page(s) 433, segment redo log(s) 435, segment managementfunctions 437, and attached SSDs 471-478. Again note that the label“SSD” may or may not refer to a solid-state drive, but may moregenerally refer to a local block storage volume, regardless of itsunderlying hardware. Similarly, storage system server node 440 includesdata page(s) 443, segment redo log(s) 445, segment management functions447, and attached SSDs 481-488; and storage system server node 450includes data page(s) 453, segment redo log(s) 455, segment managementfunctions 457, and attached SSDs 491-498.

In some embodiments, each of the storage system server nodes in thedistributed storage system may implement a set of processes running onthe node server's operating system that manage communication with thedatabase engine head node, e.g., to receive redo logs, send back datapages, etc. In some embodiments, all data blocks written to thedistributed storage system may be backed up to long-term and/or archivalstorage (e.g., in a remote key-value durable backup storage system).

Distributed storage system 410 may also implement a storage controlplane. Storage control plane may be one or more compute nodes configuredto perform a variety of different storage system management functions.For example, storage control plane may implement a volume manager (notillustrated), which may be configured to maintain mapping information orother metadata for a volume, such as current volume state, currentwriter, truncation tables or other truncation information, or any otherinformation for a volume as it is persisted in varying different,extents, segments, and protection groups. The volume manager may beconfigured to communicate with a client of storage system 410, such asclient-side driver 425 in order to “mount” or “open” the volume for theclient, providing client-side driver 425 with mapping information,protection group policies, and various other information necessary tosend write and read requests to storage nodes 430-450. The volumemanager may be configured to provide the maintained information tostorage clients, such as database engine head node 420 or client-sidedriver 425 or to other system components such as recovery service agents418. For example, the volume manager may provide a current volume state(e.g., clean, dirty or recovery), current epoch indicator and/or anyother information about the data volume.

In at least some embodiments, distributed storage system 410 mayimplement volume backup and restore service 412 which may be implementedas part of a control plane for distributed storage system 410 or asseparate system or service. Volume backup and restore service 412 mayimplement multiple backup and restore agents which may assumeresponsibility for tasks in task queue(s) 416 and perform either backupor restore of data volumes stored at storage nodes, such as describedbelow with regard to FIGS. 6 and 7. Task queue(s) 416 may be datastructures that identify backup operations to be performed with respectto data volumes (e.g., describing the range of LSNs of redo log recordsbeing included in a chunk that is being generated and uploaded to thebackup data store). Restore tasks, such as tasks to retrieve, unpack,and write data from different data chunks identified for a restoreoperation for a data volume may be recorded or maintained in taskqueues. Volume backup metadata 414 may include the volume geometry orconfiguration (e.g., as discussed below with regard to FIG. 9, includingvarious extents, protection groups, stripes, etc.) and other informationto generate a restored version of a data volume from data chunks storedin the separate backup data store. Note, in some embodiments, volumebackup metadata 414 and task queue(s) 416 may be implemented in aseparate storage service (e.g., a separate database service implementingdatabase table that store task and metadata for data volumes which canbe accessed by backup and recovery agent(s) 418).

FIG. 5 is a block diagram illustrating the use of a separate distributedstorage system in a database system, according to one embodiment. Inthis example, one or more client processes 510 may store data to one ormore databases maintained by a database system that includes a databaseengine 520 and a distributed storage system 530. In the exampleillustrated in FIG. 5, database engine 520 includes database tiercomponents 560 and client-side driver 540 (which serves as the interfacebetween distributed storage system 530 and database tier components560). In some embodiments, database tier components 560 may performfunctions such as those performed by query parsing, optimization andexecution component 305 and transaction and consistency managementcomponent 330 of FIG. 3, and/or may store data pages, transaction logsand/or undo logs (such as those stored by data page cache 335,transaction log 340 and undo log 345 of FIG. 3). In various embodiments,database engine 520 may have obtained a volume epoch indicator or otheridentifier from distributed storage system 530 granting access writes toa particular data volume, such as by sending a request to open the datavolume to distributed storage system 530.

In this example, one or more client processes 510 may send databasequery requests 515 (which may include read and/or write requeststargeting data stored on one or more of the storage nodes 535 a-535 n)to database tier components 560, and may receive database queryresponses 517 from database tier components 560 (e.g., responses thatinclude write acknowledgements and/or requested data). Each databasequery request 515 that includes a request to write to a data page may beparsed and optimized to generate one or more write record requests 541,which may be sent to client-side driver 540 for subsequent routing todistributed storage system 530. In this example, client-side driver 540may generate one or more redo log records 531 corresponding to eachwrite record request 541, and may send them to specific ones of thestorage nodes 535 of specific protection groups storing the partitionuser data of user data space to which the write record request pertainsin distributed storage system 530. Storage nodes 535 may perform variouspeer-to-peer communications to replicate redo log records 531 receivedat a storage node to other storage nodes that may have not received theredo log records 431. For instance, not every storage node may receive aredo log record in order to satisfy a write quorum (e.g., 3 out of 5storage nodes may be sufficient). The remaining storage nodes that donot receive or acknowledge the redo log record may receive an indicationof it from a peer storage node that did acknowledge or receive the redolog record. Client-side driver 540 may generate metadata for each of theredo log records that includes an indication of a previous log sequencenumber of a log record maintained at the specific protection group.Distributed storage system 530 may return a corresponding writeacknowledgement(s) 523 for each redo log record 531 to database engine520 (specifically to client-side driver 540). Client-side driver 540 maypass these write acknowledgements to database tier components 560 (aswrite responses 542), which may then send corresponding responses (e.g.,write acknowledgements) to one or more client processes 510 as one ofdatabase query responses 517.

In this example, each database query request 515 that includes a requestto read a data page may be parsed and optimized to generate one or moreread record requests 543, which may be sent to client-side driver 540for subsequent routing to distributed storage system 530. In thisexample, client-side driver 540 may send these requests to specific onesof the storage nodes 535 of distributed storage system 530, anddistributed storage system 530 may return the requested data pages 533to database engine 520 (specifically to client-side driver 540).Client-side driver 540 may send the returned data pages to the databasetier components 560 as return data records 544, and database tiercomponents 560 may then send the data pages to one or more clientprocesses 510 as database query responses 517.

In some embodiments, various error and/or data loss messages 534 may besent from distributed storage system 530 to database engine 520(specifically to client-side driver 540). These messages may be passedfrom client-side driver 540 to database tier components 560 as errorand/or loss reporting messages 545, and then to one or more clientprocesses 510 along with (or instead of) a database query response 517.

In some embodiments, backup nodes 537 may receive peer-to-peerindications from storage nodes 535. By evaluating these indicationsbackup nodes 537 may identify additional redo log records received atstorage nodes 535 that have not been backed up. Backup node(s) 537 maysend chunks or objects containing a set of redo log records 551 tobackup storage system 570 to be stored as part of a backup version ofthe data volume. In some embodiments, data page chunks 553 to create afull backup of the data volume (as opposed to log records describing thechanges to the data volume) may be requested from storage nodes and sentto backup storage system 570. FIG. 12, discussed below provides variousexamples of when data page chunks may be sent to storage system 570.

In some embodiments, the APIs 531-534 of distributed storage system 530and the APIs 541-545 of client-side driver 540 may expose thefunctionality of the distributed storage system 530 to database engine520 as if database engine 520 were a client of distributed storagesystem 530. For example, database engine 520 (through client-side driver540) may write redo log records or request data pages through these APIsto perform (or facilitate the performance of) various operations of thedatabase system implemented by the combination of database engine 520and distributed storage system 530 (e.g., storage, access, changelogging, recovery, and/or space management operations). As illustratedin FIG. 5, distributed storage system 530 may store data blocks onstorage nodes 535 a-535 n, each of which may have multiple attachedSSDs. In some embodiments, distributed storage system 530 may providehigh durability for stored data block through the application of varioustypes of redundancy schemes.

As noted above, in some embodiments, the functional components of adatabase system may be partitioned between those that are performed bythe database engine and those that are performed in a separate,distributed storage system. In one specific example, in response toreceiving a request from a client process (or a thread thereof) toinsert something into a database (e.g., to update a single data block byadding a record to that data block), one or more components of thedatabase engine head node may perform query parsing, optimization, andexecution, and may send each portion of the query to a transaction andconsistency management component. The transaction and consistencymanagement component may ensure that no other client process (or threadthereof) is trying to modify the same row at the same time. For example,the transaction and consistency management component may be responsiblefor ensuring that this change is performed atomically, consistently,durably, and in an isolated manner in the database. For example, thetransaction and consistency management component may work together withthe client-side storage service driver of the database engine head nodeto generate a redo log record to be sent to one of the nodes in thedistributed storage service and to send it to the distributed storageservice (along with other redo logs generated in response to otherclient requests) in an order and/or with timing that ensures the ACIDproperties are met for this transaction. Upon receiving the redo logrecord (which may be considered an “update record” by the storageservice), the corresponding storage node may update the data block, andmay update a redo log for the data block (e.g., a record of all changesdirected to the data block). In some embodiments, the database enginemay be responsible for generating an undo log record for this change,and may also be responsible for generating a redo log record for theundo log both of which may be used locally (in the database tier) forensuring transactionality. However, unlike in traditional databasesystems, the systems described herein may shift the responsibility forapplying changes to data blocks to the storage system (rather thanapplying them at the database tier and shipping the modified data blocksto the storage system).

Note that in various embodiments, the API calls and responses betweendatabase engine 520 and distributed storage system 530 (e.g., APIs531-534) and/or the API calls and responses between client-side driver540 and database tier components 560 (e.g., APIs 541-545), and betweendistributed storage system 430 and backup data store 570 in FIG. 5 maybe performed over a secure proxy connection (e.g., one managed by agateway control plane), or may be performed over the public network or,alternatively, over a private channel such as a virtual private network(VPN) connection. These and other APIs to and/or between components ofthe database systems described herein may be implemented according todifferent technologies, including, but not limited to, Simple ObjectAccess Protocol (SOAP) technology and Representational state transfer(REST) technology. For example, these APIs may be, but are notnecessarily, implemented as SOAP APIs or RESTful APIs. SOAP is aprotocol for exchanging information in the context of network-basedservices. REST is an architectural style for distributed hypermediasystems. A RESTful API (which may also be referred to as a RESTfulnetwork-based service) is a network-based service API implemented usingHTTP and REST technology. The APIs described herein may in someembodiments be wrapped with client libraries in various languages,including, but not limited to, C, C++, Java, C # and Perl to supportintegration with system components.

As noted above, backup nodes may participate in peer-to-peer replicationto identify updates backup versions of data volumes. FIG. 6 is a logicalblock diagram illustrating a backup node, according to some embodiments.Backup node 620 may retrieve or be assigned the task of performingbackup for all or a portion of a data volume. In some embodiments,backup nodes may be assigned to perform backup operations with respectto one or multiple protection groups. Backup node assignments may beperformed by obtaining a lease on tasks in task queue(s) 416 or by someother technique for acquiring exclusive rights to perform backupoperations for the assigned data volume (or portion of the data volume,such as the data stored in one or more protection groups).

Backup node 620 may utilize peer-to-peer protocol 630 to communicatewith storage nodes 610 (that maintain the assigned portion of the datavolume, such as protection group members). Backup node 620 may implementdata reader 622 to process update indicates 632 received from storagenodes 610. Update indications may identify the state or changes receivedfor the data volume at a particular storage node. For example, in alog-structured data store, such as discussed above with regard to FIGS.2-5, the indications may identify a log sequence number that identifiesthe point of completion up for the log at the storage node (indicatingthe state of the data volume described that point of the log). Datareader 622 may determine (e.g., based on local metadata at backup node620, or tasks or metadata 650 received from task queues or volumemetadata) the current state of the data volume (e.g., a highest logsequence number stored in a backup version of the data volume). If anyof the storage nodes 610 are identified as maintaining higher logrecords, then as indicated at 634 the updates may be requested from theparticular storage nodes that identify the higher log records, which maybe returned 636 to data reader 622 for application to a backup version.

Backup node 620 may, in some embodiments, implement chunk creator 624which may receive the retrieved log records and create data objects orchunks of log records to be uploaded to the separate data store thatmaintains the backup versions. In some embodiments, chunks may bedetermined according to a specific size (e.g., whole log records thatmay fill up 8 Mb chunk). Generated log record chunks may then be placedinto a queue, buffer, or other structure so that chunk uploader 624 mayretrieve and upload the chunks to the backup data store, as indicated at640. When data chunks are upload tasks and/or other metadata may beupdated 650 to indicate a new current state of backup versions of thedata volume. In at least some embodiments, backup nodes may provideindications (e.g., to a CSD at a database engine head node or othercomponent that directs garbage collection of storage space at storagenodes) of completed chunk uploads so that storage nodes may garbagecollect or reclaim storage space storing the data uploaded in chunks tothe separate data store. Although not illustrated in FIG. 6, similarinteractions to perform a full backup of a data volume may be performedby backup node 620. A data reader, for instance, may identify data pagesthat have not changed between full backups stored in the backup datastore and exclude those data pages from data chunks. For data pages thathave changed, data reader 620 may retrieve the changed data pages andprovide them to chunk creator 624 and chunk uploader 626 to be stored aspart of a full backup of the data volume in the backup data store.

Different backup nodes may work independently and in parallel to performbackup operations for different protection groups of a data volume. Inthis way, backup operations may scale or change as the number ofprotection groups or storage nodes within protection groups change.

Restore operations may be similarly performed by a restore node thatinteracts with the separate backup store and new storage nodes to storea restored version of the data volume. FIG. 7 is a logical block diagramillustrating a restore node, according to some embodiments. As withbackup node 620 above, restore node 720 may obtain a restore task tocreate a volume at particular restore point. In order to determine whichchunks in data store 710 to read, restore node 720 may implement chunkidentification and retrieval 722. To identify the appropriate log recordchunks 712 and page chunks 714, chunk identification and retrieval 722may compare the restore point with metadata or other mapping informationreceived at 730 to determine which are the most recent set of pagechunks that create a full backup version of the data prior to therestore point, and any log record chunks that include log records up tothe restore point (which can be applied to the pages described in thepage chunk to create the version of the data volume restored at therestore point). Once chunk identification and retrieval 722 identifiesthe appropriate chunks, requests to get the identified chunks 740 may bemade to data store 710. The received chunks may be unpacked, asindicated at 724, and volume data writer 726 may write the data volumeat the restore point by applying log records to data pages (asappropriate) to create versions of the data pages to store 750 atstorage nodes 730. The data may be stored according to the sameconfiguration or geometry of the data volume identified for the datavolume at the restore point (as data volume configuration/geometryinformation may be stored in data store backup 710 and/or as part ofmetadata for the volume backup). For example, data page chunks 714 maybe specific to data pages stored in a particular protection group. Whenperforming operations to restore the data volume, restore node 720 mayrestore that protection group at new storage nodes by retrieving theappropriate data chunks for the protection group and writing them to thenew storage nodes to form a restored protection group of the datavolume.

As with backup nodes, restore nodes may work in parallel to restoredifferent portions of a data volume (e.g., different protection groups).In some embodiments, some restore nodes may restore page chunks whileother restore nodes may restore log record chunks. Task updates andmetadata updates may be made to queues/volume metadata to track theprogress of the restore tasks so that if a restore node fails during arestore task, a new restore node may resume performance of the task.

A variety of different allocation models may be implemented for anstorage device, such as an SSD mentioned above, in differentembodiments. For example, in some embodiments, log entry pages andphysical application pages may be allocated from a single heap of pagesassociated with an SSD device. This approach may have the advantage ofleaving the relative amount of storage consumed by log pages and datapages to remain unspecified and to adapt automatically to usage. It mayalso have the advantage of allowing pages to remain unprepared untilthey are used, and repurposed at will without preparation. In otherembodiments, an allocation model may partition the storage device intoseparate spaces for log entries and data pages. Once such allocationmodel is illustrated by the block diagram in FIG. 8 and described below.

FIG. 8 is a block diagram illustrating how data and metadata may bestored on a given storage node (or persistent storage device) of adistributed storage system, according to one embodiment. In thisexample, SSD storage space 800 stores an SSD header and other fixedmetadata in the portion of the space labeled 810. It stores log pages inthe portion of the space labeled 820, and includes a space labeled 830that is initialized and reserved for additional log pages. One portionof SSD storage space 800 (shown as 840) is initialized, but unassigned,and another portion of the space (shown as 850) is uninitialized andunassigned. Finally, the portion of SSD storage space 800 labeled 860stores data pages.

In allocation approach illustrated in FIG. 8, valid log pages may bepacked into the beginning of the flat storage space. Holes that open updue to log pages being freed may be reused before additional log pageslots farther into the address space are used. For example, in the worstcase, the first n log page slots contain valid log data, where n is thelargest number of valid log pages that have ever simultaneously existed.In this example, valid data pages may be packed into the end of the flatstorage space. Holes that open up due to data pages being freed may bereused before additional data page slots lower in the address space areused. For example, in the worst case, the last m data pages containvalid data, where m is the largest number of valid data pages that haveever simultaneously existed.

In some embodiments, before a log page slot can become part of thepotential set of valid log page entries, it may need to be initializedto a value that cannot be confused for a valid future log entry page.This is implicitly true for recycled log page slots, since a retired logpage has enough metadata to never be confused for a new valid log page.However, when a storage device is first initialized, or when space isreclaimed that had potentially been used to store application datapages, the log page slots may need to be initialized before they areadded to the log page slot pool. In some embodiments,rebalancing/reclaiming log space may be performed as a background task.

In some embodiments, a segment may consist of three main parts (orzones): one that contains a hot log, one that contains a cold log, andone that contains user page data. Zones are not necessarily contiguousregions of an SSD. Rather, they can be interspersed at the granularityof the storage page. In addition, there may be a root page for eachsegment that stores metadata about the segment and its properties. Forexample, the root page for a segment may store the user page size forthe segment, the number of user pages in the segment, the currentbeginning/head of the hot log zone (which may be recorded in the form ofa flush number), the volume epoch, and/or access control metadata.

In some embodiments, the hot log zone may accept new writes from theclient as they are received by the storage node. Both Delta User LogRecords (DULRs), which specify a change to a user/data page in the formof a delta from the previous version of the page, and Absolute User LogRecords (AULRs), which specify the contents of a complete user/datapage, may be written completely into the log. Log records may be addedto this zone in approximately the order they are received (e.g., theyare not sorted by LSN) and they can span across log pages. The logrecords may be self-describing, e.g., they may contain an indication oftheir own size. In some embodiments, no garbage collection is performedin this zone. Instead, space may be reclaimed by truncating from thebeginning of the log after all required log records have been copiedinto the cold log. Log sectors in the hot zone may be annotated with themost recent known unconditional VDL each time a sector is written.Conditional VDL CLRs may be written into the hot zone as they arereceived, but only the most recently written VDL CLR may be meaningful.

In some embodiments, the distributed storage systems described hereinmay maintain various data structures in memory. For example, for eachuser page present in a segment, a user page table may store a bitindicating whether or not this user page is “cleared” (i.e., whether itincludes all zeroes), the LSN of the latest log record from the cold logzone for the page, and an array/list of locations of all log recordsfrom the hot log zone for page. For each log record, the user page tablemay store the sector number, the offset of the log record within thatsector, the number of sectors to read within that log page, the sectornumber of a second log page (if the log record spans log pages), and thenumber of sectors to read within that log page. In some embodiments, theuser page table may also store the LSNs of every log record from thecold log zone and/or an array of sector numbers for the payload of thelatest AULR if it is in the cold log zone.

In some embodiments of the distributed storage systems described herein,an LSN index may be stored in memory. An LSN index may map LSNs to logpages within the cold log zone. Given that log records in cold log zoneare sorted, it may be to include one entry per log page. However, insome embodiments, every non-obsolete LSN may be stored in the index andmapped to the corresponding sector numbers, offsets, and numbers ofsectors for each log record.

In some embodiments of the distributed storage systems described herein,a log page table may be stored in memory, and the log page table may beused during garbage collection of the cold log zone. For example, thelog page table may identify which log records are obsolete (e.g., whichlog records can be garbage collected) and how much free space isavailable on each log page.

In the storage systems described herein, an extent may be a logicalconcept representing a highly durable unit of storage that can becombined with other extents (either concatenated or striped) torepresent a volume. Each extent may be made durable by membership in asingle protection group. An extent may provide an LSN-type read/writeinterface for a contiguous byte sub-range having a fixed size that isdefined at creation. Read/write operations to an extent may be mappedinto one or more appropriate segment read/write operations by thecontaining protection group. As used herein, the term “volume extent”may refer to an extent that is used to represent a specific sub-range ofbytes within a volume.

As noted above, a data volume may consist of multiple extents, eachrepresented by a protection group consisting of one or more segments. Insome embodiments, log records directed to different extents may haveinterleaved LSNs. For changes to the volume to be durable up to aparticular LSN it may be necessary for all log records up to that LSN tobe durable, regardless of the extent to which they belong. In someembodiments, the client may keep track of outstanding log records thathave not yet been made durable, and once all ULRs up to a specific LSNare made durable, it may send a Volume Durable LSN (VDL) message to oneof the protection groups in the volume. The VDL may be written to allsynchronous mirror segments (i.e. group members) for the protectiongroup. This is sometimes referred to as an “Unconditional VDL” and itmay be periodically persisted to various segments (or more specifically,to various protection groups) along with write activity happening on thesegments. In some embodiments, the Unconditional VDL may be stored inlog sector headers.

FIG. 9 is a block diagram illustrating an example configuration of adatabase volume 910, according to one embodiment. In this example, datacorresponding to each of various address ranges 915 (shown as addressranges 915 a-915 e) is stored as different segments 945 (shown assegments 945 a-945 n). More specifically, data corresponding to each ofvarious address ranges 915 may be organized into different extents(shown as extents 925 a-925 b, and extents 935 a-935 h), and variousones of these extents may be included in different protection groups 930(shown as 930 a-930 f), with or without striping (such as that shown asstripe set 920 a and stripe set 920 b). In this example, protectiongroup 1 illustrates the use of erasure coding. In this example,protection groups 2 and 3 and protection groups 6 and 9 representmirrored data sets of each other, while protection group 4 represents asingle-instance (non-redundant) data set. In this example, protectiongroup 8 represents a multi-tier protection group that combines otherprotection groups (e.g., this may represent a multi-region protectiongroup). In this example, stripe set 1 (920 a) and stripe set 2 (920 b)illustrates how extents (e.g., extents 925 a and 925 b) may be stripedinto a volume, in some embodiments.

More specifically, in this example, protection group 1 (930 a) includesextents a-c (935 a-935 c), which include data from ranges 1-3 (915 a-915c), respectively, and these extents are mapped to segments 1-4 (945a-945 d). Protection group 2 (930 b) includes extent d (935 d), whichincludes data striped from range 4 (915 d), and this extent is mapped tosegments 5-7 (945 e-945 g). Similarly, protection group 3 (930 c)includes extent e (935 e), which includes data striped from range 4 (915d), and is mapped to segments 8-9 (945 h-945 i); and protection group 4(930 d) includes extent f (935 f), which includes data striped fromrange 4 (915 d), and is mapped to segment 10 (945 j). In this example,protection group 6 (930 e) includes extent g (935 g), which includesdata striped from range 5 (915 e), and is mapped to segments 11-12 (945k-945 l); and protection group 7 (930 f) includes extent h (935 h),which also includes data striped from range 5 (915 e), and is mapped tosegments 13-14 (945 m-945 n).

Please note that the striping, erasure coding, and other storage schemesfor the database volume apply to the user data space of the databasevolume, not the log records pertaining to the volume. Log records aresegmented across protection groups according to the partition of thevolume maintained at the protection group. For example, log recordsindicating updates to the user data striped from range 5 maintained inPG 6, pertain to the user data in PG 6.

The distributed storage service and database service discussed in FIGS.2 through 9 provide examples of a distributed data store storing a datavolume for a storage client (e.g., the database) and providingcontinuous back for the data volume. However, various other types ofdistributed storage systems may be implement continuous backup for data,which may not be log-structured, along with other types of storageclients, which may not be databases. FIG. 10 is a high-level flowchartillustrating methods and techniques to implement continuous backup ofdata in a distributed data store, according to some embodiments. Variousdifferent distributed data stores, volume recovery services, storageclients may implement the techniques described below.

As indicated at 1010, indications of updates to data maintained acrossstorage nodes in a distributed data store may be received according to apeer-to-peer replication scheme. Data or data volumes may be maintainedin different configurations, such as protection groups or otherpartitions, segments, or divisions of the data amongst different sets ofstorage nodes replicating the portion of data. Peer-to-peer replicationschemes may be any replication scheme that allows updates made at onestorage node maintaining data to be discovered and replicated by anotherstorage node. Gossip-based protocols, for instance, may allow storagenodes to forward received updates (or indications indicating that anupdate has been received) to other storage nodes. In some embodiments,other storage nodes may request state or other information which mayindicate updates received at the storage nodes (e.g., log sequencenumbers, timestamps, or other update identifiers). Like other storagenodes, a backup node or other component performing continuous backup mayrequest and/or receive the indications utilizing the same peer-to-peerreplication scheme (e.g., utilizing the same API commands to establishconnections, poll/request for update indications, retrieve updates,etc.).

As indicated at 1020, an evaluation of the indications may be performedto determine whether additional updates may need to be applied to abackup version of the data stored in a separate data store. For example,a current state of a backup version of data may be indicated by a logsequence number, timestamp, or other version indicator that isassociated with a particular state of the data at a particular time.This current state may be compared with the indications of updates todetermine if the update indications received are already included in thebackup version of data. If the updates are included already, then noadditional updates are needed for the backup version of the data store,and the backup node may ignore the received indications and continue toreceive and evaluate new update indications, as indicated by thenegative exit from 1020 and loop back to element 1010.

If additional updates are determined, as indicated by the positive exitfrom 1020, then the additional updates may be obtained from the storagenodes according to the replication scheme as shown in 1030. For example,share requests, or other requests formatted according to thepeer-to-peer replication protocol may be sent to the storage nodes thatindicated the additional updates. Once the additional updates areobtained, then as indicated at 1040, the backup version of the data maybe updated to include additional updates. Backup versions of data may beformatted in different ways. In some embodiments, backup versions ofdata may include one or more data objects that describe a full-backupversion of the data (e.g., a consistent version of each data page in aprotection group or across a data volume) and one or more data objectsthat describe changes to the full-backup version. In this way,additional updates may be quickly identified, obtained and stored in abackup data store without having to apply or create new versions of datapages directly. When a data volume is restored, as discussed above withregard to FIG. 7, then the objects describing the changes may be appliedto the full-backup version objects.

By participating in peer-to-peer communications with storage nodes, abackup node may detect changes in the configuration of data. Backupnodes may then initiate responsive actions to adapt continuous backup toaccount for the changes in the configuration of the data. FIG. 11 is ahigh-level flowchart illustrating methods and techniques to detectchanges in configuration of data and adapt continuous backup for thedata in a distributed data store, according to some embodiments. Asindicated at 1110, a change in the configuration of the data in thedistributed data store may be detected in the peer-to-peer replicationscheme. For example, peer-to-peer communications may include anidentifier, such as an epoch or version number associated with the data,which is associated with a current configuration of the data. If theconfiguration is changed as result of various types of events, theidentifier would change. Storage nodes aware of the change maycommunicate the changed identifier (and possibly the reason for thechange) to other storage nodes/backup node when communicating. Storagenodes/backup node may then discover the reason for the change and adaptaccordingly. In the case of the backup node, backup tasks may be updatedin a task queue, backup metadata, or other tracking informationmaintained for performing continuous backup for the data.

One example of a change that may be detected, is a protection groupmembership change, as indicated at 1120. Protection group membershipchanges may occur when storage nodes fail, become stressed, or arereassigned from a protection group maintaining a portion of data (e.g.,an extent of a data volume). The membership change may include addingnew storage nodes to take the place of old storage nodes or additionalstorage nodes to increase the number of storage nodes in the protectiongroup. The backup node detecting the change may, as indicated at 1122,identify the new storage nodes in the membership change, and may modifybackup node assignments, in some embodiments. For instance, the backupnode may update tasks or create new tasks in a task queue or other setof backup tracking data to identify the change in PG membership, andthat the backup node is going to assume responsibility for communicatingwith the new storage nodes.

Another example of a detected configuration change may be a data sizechange, as indicated at 1130. For instance, in some embodiments, datavolumes may scale according to the needs of clients storing the datavolume. As the data volume grows, additional extents, protection groups,segments, and so on, may need to be created at new storage nodes, as analternative to changing the size of existing protection groups. Insteadof increasing the burden on existing backup node(s) to performcontinuous backup for the new protection groups, new backup node taskassignments may be created, as indicated at 1132, in order to initiatecontinuous backup for the new protection groups.

Another example of a detected configuration change may be a logtruncation, as indicated at 1140. For log-structured data stores thatstore updates to data as log records (e.g., as discussed in FIGS. 2-9above), a truncation event may occur when a failure, error, or otheroperation creates an inconsistent state for the data in the log which isresolved by truncating or excluding a portion of the log from beingconsidered valid. A truncation point or range, for example, may indicatethat log records with sequence numbers after the point or in the rangeare ignored and not considered valid changes to the data. Whentruncation events occur, a backup node may include the backup version ofthe data in the backup data store, as indicated at 1142, so that whenrestored versions are created, the truncated portions of the log are notincluded in the restored version of the data.

As noted above, in addition to including individual updates to a backupversion of a data store, a full backup version may be occasionallycreated by a backup node utilizing similar techniques. FIG. 12 is ahigh-level flowchart illustrating methods and techniques to implementgenerating a full-backup version of data in a backup data store,according to some embodiments. As indicated at 1210, a full-backup eventmay be detected (e.g., by a backup node or other distributed data storecomponent). Various conditions may trigger a full-backup event. In someembodiments, a full-backup event may be triggered after a certain amountof updates (e.g., >2 GB of updates) have been stored to a backup datastore. In other examples, the number of updates since a last full-backupversion or the amount of time (e.g., 30 mins.) since a last full-backupversion is uploaded may trigger a full-backup event.

Once detected, data pages of a consistent version of the data may beidentified to upload to a backup data store for a full-backup version ofthe data, as indicated at 1220. For example, the data pages may all beassociated with or inclusive of log records up to a particular logsequence number or timestamp. Data pages with no changes may beidentified, as indicated at 1230. In some embodiments, as indicated at1240, at least some of those data pages with no changes since a lastupload of a full-backup version may be excluded from uploads for thecurrent full-backup version being generated. For example, if no logrecords or other update indications are directed toward a data page thenit may be identified as having no changes. For those data pages that areexcluded, place holders or links to objects containing the unchangeddata records may be included. As indicated at 1250, the identified datapages may be uploaded to store the full-backup version of the data in aseparate data store. For example, data objects or chunks of data pagesmay be stored in the separate data store. Note that in some embodiments,full-backup versions may be stored as a group of data objects thatcorrespond to different portions of the data (e.g., different segment orextent portions) that include whole data pages. So it may be that a dataobject may be uploaded with some data pages that have no changes andsome data pages with changes, whereas those data objects with data pagesthat have no changes may not be uploaded, as indicated at 1240. In someembodiments, a limitation on a number of place holders or links to anobject in a prior full-backup version may be imposed so that a new copyof the linked data object may be uploaded along with data objects withchanges in response to a full-backup event.

The methods described herein may in various embodiments be implementedby any combination of hardware and software. For example, in oneembodiment, the methods may be implemented by a computer system (e.g., acomputer system as in FIG. 13) that includes one or more processorsexecuting program instructions stored on a computer-readable storagemedium coupled to the processors. The program instructions may beconfigured to implement the functionality described herein (e.g., thefunctionality of various servers and other components that implement thedatabase services/systems and/or storage services/systems describedherein). The various methods as illustrated in the figures and describedherein represent example embodiments of methods. The order of any methodmay be changed, and various elements may be added, reordered, combined,omitted, modified, etc.

FIG. 13 is a block diagram illustrating a computer system configured toimplement the distributed data store providing continuous backup of datain a distributed data store according to various embodiments, as well asvarious other systems, components, services or devices described above.For example, computer system 2000 may be configured to implement adatabase engine head node of a database tier, or one of a plurality ofstorage nodes of a separate distributed storage system that storesdatabases and associated metadata on behalf of clients of the databasetier, in different embodiments. Computer system 2000 may be any ofvarious types of devices, including, but not limited to, a personalcomputer system, desktop computer, laptop or notebook computer,mainframe computer system, handheld computer, workstation, networkcomputer, a consumer device, application server, storage device,telephone, mobile telephone, or in general any type of computing device.

Computer system 2000 includes one or more processors 2010 (any of whichmay include multiple cores, which may be single or multi-threaded)coupled to a system memory 2020 via an input/output (I/O) interface2030. Computer system 2000 further includes a network interface 2040coupled to I/O interface 2030. In various embodiments, computer system2000 may be a uniprocessor system including one processor 2010, or amultiprocessor system including several processors 2010 (e.g., two,four, eight, or another suitable number). Processors 2010 may be anysuitable processors capable of executing instructions. For example, invarious embodiments, processors 2010 may be general-purpose or embeddedprocessors implementing any of a variety of instruction setarchitectures (ISAs), such as the x86, PowerPC, SPARC, or MIPS ISAs, orany other suitable ISA. In multiprocessor systems, each of processors2010 may commonly, but not necessarily, implement the same ISA. Thecomputer system 2000 also includes one or more network communicationdevices (e.g., network interface 2040) for communicating with othersystems and/or components over a communications network (e.g. Internet,LAN, etc.). For example, a client application executing on system 2000may use network interface 2040 to communicate with a server applicationexecuting on a single server or on a cluster of servers that implementone or more of the components of the database systems described herein.In another example, an instance of a server application executing oncomputer system 2000 may use network interface 2040 to communicate withother instances of the server application (or another serverapplication) that may be implemented on other computer systems (e.g.,computer systems 2090).

In the illustrated embodiment, computer system 2000 also includes one ormore persistent storage devices 2060 and/or one or more I/O devices2080. In various embodiments, persistent storage devices 2060 maycorrespond to disk drives, tape drives, solid state memory, other massstorage devices, or any other persistent storage device. Computer system2000 (or a distributed application or operating system operatingthereon) may store instructions and/or data in persistent storagedevices 2060, as desired, and may retrieve the stored instruction and/ordata as needed. For example, in some embodiments, computer system 2000may host a storage system server node, and persistent storage 2060 mayinclude the SSDs attached to that server node.

Computer system 2000 includes one or more system memories 2020 that areconfigured to store instructions and data accessible by processor(s)2010. In various embodiments, system memories 2020 may be implementedusing any suitable memory technology, (e.g., one or more of cache,static random access memory (SRAM), DRAM, RDRAM, EDO RAM, DDR 10 RAM,synchronous dynamic RAM (SDRAM), Rambus RAM, EEPROM,non-volatile/Flash-type memory, or any other type of memory). Systemmemory 2020 may contain program instructions 2025 that are executable byprocessor(s) 2010 to implement the methods and techniques describedherein. In various embodiments, program instructions 2025 may be encodedin platform native binary, any interpreted language such as Java™byte-code, or in any other language such as C/C++, Java™, etc., or inany combination thereof. For example, in the illustrated embodiment,program instructions 2025 include program instructions executable toimplement the functionality of a database engine head node of a databasetier, or one of a plurality of storage nodes, backup nodes, or restorenodes of a separate distributed storage system that stores databases andassociated metadata on behalf of clients of the database tier, indifferent embodiments. In some embodiments, program instructions 2025may implement multiple separate clients, server nodes, and/or othercomponents.

In some embodiments, program instructions 2025 may include instructionsexecutable to implement an operating system (not shown), which may beany of various operating systems, such as UNIX, LINUX, Solaris™, MacOS™,Windows™, etc. Any or all of program instructions 2025 may be providedas a computer program product, or software, that may include anon-transitory computer-readable storage medium having stored thereoninstructions, which may be used to program a computer system (or otherelectronic devices) to perform a process according to variousembodiments. A non-transitory computer-readable storage medium mayinclude any mechanism for storing information in a form (e.g., software,processing application) readable by a machine (e.g., a computer).Generally speaking, a non-transitory computer-accessible medium mayinclude computer-readable storage media or memory media such as magneticor optical media, e.g., disk or DVD/CD-ROM coupled to computer system2000 via I/O interface 2030. A non-transitory computer-readable storagemedium may also include any volatile or non-volatile media such as RAM(e.g. SDRAM, DDR SDRAM, RDRAM, SRAM, etc.), ROM, etc., that may beincluded in some embodiments of computer system 2000 as system memory2020 or another type of memory. In other embodiments, programinstructions may be communicated using optical, acoustical or other formof propagated signal (e.g., carrier waves, infrared signals, digitalsignals, etc.) conveyed via a communication medium such as a networkand/or a wireless link, such as may be implemented via network interface2040.

In some embodiments, system memory 2020 may include data store 2045,which may be configured as described herein. For example, theinformation described herein as being stored by the database tier (e.g.,on a database engine head node), such as a transaction log, an undo log,cached page data, or other information used in performing the functionsof the database tiers described herein may be stored in data store 2045or in another portion of system memory 2020 on one or more nodes, inpersistent storage 2060, and/or on one or more remote storage devices2070, at different times and in various embodiments. Similarly, theinformation described herein as being stored by the storage tier (e.g.,redo log records, coalesced data pages, and/or other information used inperforming the functions of the distributed storage systems describedherein) may be stored in data store 2045 or in another portion of systemmemory 2020 on one or more nodes, in persistent storage 2060, and/or onone or more remote storage devices 2070, at different times and invarious embodiments. In general, system memory 2020 (e.g., data store2045 within system memory 2020), persistent storage 2060, and/or remotestorage 2070 may store data blocks, replicas of data blocks, metadataassociated with data blocks and/or their state, database configurationinformation, and/or any other information usable in implementing themethods and techniques described herein.

In one embodiment, I/O interface 2030 may be configured to coordinateI/O traffic between processor 2010, system memory 2020 and anyperipheral devices in the system, including through network interface2040 or other peripheral interfaces. In some embodiments, I/O interface2030 may perform any necessary protocol, timing or other datatransformations to convert data signals from one component (e.g., systemmemory 2020) into a format suitable for use by another component (e.g.,processor 2010). In some embodiments, I/O interface 2030 may includesupport for devices attached through various types of peripheral buses,such as a variant of the Peripheral Component Interconnect (PCI) busstandard or the Universal Serial Bus (USB) standard, for example. Insome embodiments, the function of I/O interface 2030 may be split intotwo or more separate components, such as a north bridge and a southbridge, for example. Also, in some embodiments, some or all of thefunctionality of I/O interface 2030, such as an interface to systemmemory 2020, may be incorporated directly into processor 2010.

Network interface 2040 may be configured to allow data to be exchangedbetween computer system 2000 and other devices attached to a network,such as other computer systems 2090 (which may implement one or morestorage system server nodes, database engine head nodes, and/or clientsof the database systems described herein), for example. In addition,network interface 2040 may be configured to allow communication betweencomputer system 2000 and various I/O devices 2050 and/or remote storage2070. Input/output devices 2050 may, in some embodiments, include one ormore display terminals, keyboards, keypads, touchpads, scanning devices,voice or optical recognition devices, or any other devices suitable forentering or retrieving data by one or more computer systems 2000.Multiple input/output devices 2050 may be present in computer system2000 or may be distributed on various nodes of a distributed system thatincludes computer system 2000. In some embodiments, similar input/outputdevices may be separate from computer system 2000 and may interact withone or more nodes of a distributed system that includes computer system2000 through a wired or wireless connection, such as over networkinterface 2040. Network interface 2040 may commonly support one or morewireless networking protocols (e.g., Wi-Fi/IEEE 802.11, or anotherwireless networking standard). However, in various embodiments, networkinterface 2040 may support communication via any suitable wired orwireless general data networks, such as other types of Ethernetnetworks, for example. Additionally, network interface 2040 may supportcommunication via telecommunications/telephony networks such as analogvoice networks or digital fiber communications networks, via storagearea networks such as Fibre Channel SANs, or via any other suitable typeof network and/or protocol. In various embodiments, computer system 2000may include more, fewer, or different components than those illustratedin FIG. 13 (e.g., displays, video cards, audio cards, peripheraldevices, other network interfaces such as an ATM interface, an Ethernetinterface, a Frame Relay interface, etc.)

It is noted that any of the distributed system embodiments describedherein, or any of their components, may be implemented as one or morenetwork-based services. For example, a database engine head node withinthe database tier of a database system may present database servicesand/or other types of data storage services that employ the distributedstorage systems described herein to clients as network-based services.In some embodiments, a network-based service may be implemented by asoftware and/or hardware system designed to support interoperablemachine-to-machine interaction over a network. A network-based servicemay have an interface described in a machine-processable format, such asthe Web Services Description Language (WSDL). Other systems may interactwith the network-based service in a manner prescribed by the descriptionof the network-based service's interface. For example, the network-basedservice may define various operations that other systems may invoke, andmay define a particular application programming interface (API) to whichother systems may be expected to conform when requesting the variousoperations.

In various embodiments, a network-based service may be requested orinvoked through the use of a message that includes parameters and/ordata associated with the network-based services request. Such a messagemay be formatted according to a particular markup language such asExtensible Markup Language (XML), and/or may be encapsulated using aprotocol such as Simple Object Access Protocol (SOAP). To perform anetwork-based services request, a network-based services client mayassemble a message including the request and convey the message to anaddressable endpoint (e.g., a Uniform Resource Locator (URL))corresponding to the network-based service, using an Internet-basedapplication layer transfer protocol such as Hypertext Transfer Protocol(HTTP).

In some embodiments, network-based services may be implemented usingRepresentational State Transfer (“RESTful”) techniques rather thanmessage-based techniques. For example, a network-based serviceimplemented according to a RESTful technique may be invoked throughparameters included within an HTTP method such as PUT, GET, or DELETE,rather than encapsulated within a SOAP message.

The various methods as illustrated in the figures and described hereinrepresent example embodiments of methods. The methods may be implementedmanually, in software, in hardware, or in a combination thereof. Theorder of any method may be changed, and various elements may be added,reordered, combined, omitted, modified, etc.

Although the embodiments above have been described in considerabledetail, numerous variations and modifications may be made as wouldbecome apparent to those skilled in the art once the above disclosure isfully appreciated. It is intended that the following claims beinterpreted to embrace all such modifications and changes and,accordingly, the above description to be regarded in an illustrativerather than a restrictive sense.

What is claimed is:
 1. A system, comprising: at least one processor; anda memory, storing program instructions that when executed by the atleast one processor, cause the at least one processor to: detect, at abackup node that applies updates to a backup version of a data volume, aconfiguration change for the data volume, wherein the data volume isstored in a distributed data store across a plurality of storage nodesthat provide the updates to the backup node according to a peer-to-peerreplication scheme used to replicate updates to the data volume amongthe plurality of storage nodes and the backup node; and adapt, by thebackup node, performance of obtaining additional updates to the datavolume according to the peer-to-peer replication scheme based, at leastin part, on the detected configuration change.
 2. The system of claim 1,wherein the data configuration change is a change to the plurality ofstorage nodes that store the data volume; and wherein to adapt theperformance of obtaining additional updates to the data volume, theprogram instructions cause the at least one processor to identify a newstorage node storing the data volume that participates in thepeer-to-peer replication scheme.
 3. The system of claim 2, wherein thechange to the plurality of storage nodes adds a storage node theplurality of storage nodes.
 4. The system of claim 2, wherein the changeto the plurality of storage nodes replaces one of the plurality ofstorage nodes.
 5. The system of claim 1, wherein the data configurationchange is a data size change of the data volume; and wherein to adaptthe performance of obtaining additional updates to the data volume, theprogram instructions cause the at least one processor to identifysubsequent updates to be applied to the backup version of the accordingto a new task assignment that accounts for an additional backup nodeadded for updating the backup version of the data volume.
 6. The systemof claim 1, wherein the distributed data store is a log-structured datastore; wherein the data configuration change is a log truncation for thedata volume; and wherein to adapt the performance of obtainingadditional updates to the data volume, the program instructions causethe at least one processor to obtain truncation information to includein the backup version of the data volume.
 7. The system of claim 1,wherein the data configuration change is detected based, at least inpart, on a change to an identifier associated with a configuration ofthe data volume.
 8. A method, comprising: detecting, at a backup nodethat applies updates to a backup version of a data volume, aconfiguration change for the data volume, wherein the data volume isstored in a distributed data store across a plurality of storage nodesthat provide the updates to the backup node according to a peer-to-peerreplication scheme used to replicate updates to the data volume amongthe plurality of storage nodes and the backup node; and adapting, by thebackup node, performance of obtaining additional updates to the datavolume according to the peer-to-peer replication scheme based, at leastin part, on the detected configuration change.
 9. The method of claim 8,wherein the data configuration change is a change to the plurality ofstorage nodes that store the data volume; and wherein adapting theperformance of obtaining additional updates to the data volume comprisesidentifying a new storage node storing the data volume that participatesin the peer-to-peer replication scheme.
 10. The method of claim 9,wherein the change to the plurality of storage nodes adds a storage nodethe plurality of storage nodes.
 11. The method of claim 9, wherein thechange to the plurality of storage nodes replaces one of the pluralityof storage nodes.
 12. The method of claim 8, wherein the dataconfiguration change is a data size change of the data volume; andwherein adapting the performance of obtaining additional updates to thedata volume comprises identifying subsequent updates to be applied tothe backup version of the according to a new task assignment thataccounts for an additional backup node added for updating the backupversion of the data volume.
 13. The method of claim 8, wherein thedistributed data store is a log-structured data store; wherein the dataconfiguration change is a log truncation for the data volume; andwherein adapting the performance of obtaining additional updates to thedata volume comprises obtaining truncation information to include in thebackup version of the data volume.
 14. The method of claim 8, whereinthe data configuration change is detected based, at least in part, on achange to an identifier associated with a configuration of the datavolume.
 15. One or more non-transitory, computer-readable storage media,storing program instructions that when executed on or across one or morecomputing devices cause the one or more computing devices to implement:detecting, at a backup node that applies updates to a backup version ofa data volume, a configuration change for the data volume, wherein thedata volume is stored in a distributed data store across a plurality ofstorage nodes that provide the updates to the backup node according to apeer-to-peer replication scheme used to replicate updates to the datavolume among the plurality of storage nodes and the backup node; andadapting, by the backup node, performance of obtaining additionalupdates to the data volume according to the peer-to-peer replicationscheme based, at least in part, on the detected configuration change.16. The one or more non-transitory, computer-readable storage media ofclaim 15, wherein the data configuration change is a change to theplurality of storage nodes that store the data volume; and wherein, inadapting the performance of obtaining additional updates to the datavolume, the program instructions cause the one or more computing devicesto implement identifying a new storage node storing the data volume thatparticipates in the peer-to-peer replication scheme.
 17. The one or morenon-transitory, computer-readable storage media of claim 16, wherein thechange to the plurality of storage nodes adds a storage node theplurality of storage nodes.
 18. The one or more non-transitory,computer-readable storage media of claim 16, wherein the change to theplurality of storage nodes replaces one of the plurality of storagenodes.
 19. The one or more non-transitory, computer-readable storagemedia of claim 15, wherein the data configuration change is a data sizechange of the data volume; and wherein, in adapting the performance ofobtaining additional updates to the data volume, the programinstructions cause the one or more computing devices to implementidentifying subsequent updates to be applied to the backup version ofthe according to a new task assignment that accounts for an additionalbackup node added for updating the backup version of the data volume.20. The one or more non-transitory, computer-readable storage media ofclaim 15, wherein the distributed data store is a log-structured datastore; wherein the data configuration change is a log truncation for thedata volume; and wherein, in adapting the performance of obtainingadditional updates to the data volume, the program instructions causethe one or more computing devices to implement obtaining truncationinformation to include in the backup version of the data volume.